AFAL-TR-72-113 


NINETEEN  RULES  FOR  AVIONICS  DESIGN  ENGINEERS 


Albert  Goldman 


TECHNICAL  REPORT  AFAL-TR-72-113 
Hay  1972 


Approved  for  public  release;  distribution  unlimited. 


Air  Force  Avionics  Laboratory 
Air  Force  Systems  Command 
Wright-Patterson  Air  Force  Base,  Ohio 


Repfcduu  d  L>» 

NATIONAL  TECHNICAL 
INFORMATION  SERVICE 

llSt*  H'rt  ’  i  r  ♦  v.  *  <  c"  n  tfce 

S'  .j»  Sd  VM  i:’5J 


D  D  C 

ElSEmiEj 

•|  JlIN  28  1S72 

LbUflLbU  li  LalMi 


When  Government  drawings,  specifications,  or  other  data  are  used  for  any  purpose, 
other  than  in  connection  with  a  definitely  related  Government  procurement  operation, 
the  United  States  Government  thereby  incurs  no  responsibility  nor  any  obligation 
whatsoever;  and  the  fact  that  the  government  may  have  formulated,  furnished,  or  in 
any  way  supplied  the  said  drawings,  specifications,  or  other  data,  i3  not  to  be  regarded 
by  implication  or  otherwise  as  in  any  manner  licensing  the  holder  or  any  other  person 
or  corporation,  or  conveying  any  rights  or  permission  to  manufacture,  use,  or  sell  any 
patented  invention  that  may  in  any  way  be  related  thereto. 


Copies  of  this  report  should  not  be  returned  unless  return  is  required  by  security 
considerations,  contractual  obligations,  or  notice  on  a  specific  document. 


UNCLASSIFIED 


DOCUMENT  CONTROL  DATA  -  R  &  D 

/Security  classification  ot  title,  body  of  abstract  and  Indexing  annotation  must  be  enltired  when  the  overall  report  la  classified) 
1.  ORIGINATING  ACTIVITY  (Corporate  author) 

Air  Force  Avionics  Laboratory 
Wright-Patterson  AFB,  Ohio  45433 


3.  REPORT  TITLE 

NINETEEN  RULES  FOR  AVIONICS  DESIGN  ENGINEERS 


2*.  REPORT  SECURITY  CLASSIFICATION 

Unclassified 


Zb.  CROUP 


A.  DESCRIPTIVE  NOTES  (Type  ol  report  end  Inclusive  dates) 


3-  AUTHORISJ  (First  nemo ,  middle  initial,  last  name) 

Albert  Goldman 


0.  REPORT  OATE 


la.  TOTAL  NO.  OF  PAGES  lb.  NO.  OF  REFS 

13 


Oa.  ORIGINATOR* S  REPORT  NUM8ER(S) 


AFAL-TR-72-113 


Ob.  OTHER  REPORT  no(S)  (Any  other  numbers  that  may  be  aaalQned 
this  report) 


10.  DISTRIBUTION  STATEMENT 

Approved  for  public  release;  distribution  unlimited. 

II  SUPPLEMENTARY  NOTES 

12.  SPONSORING  MILITARY  ACTIVITY 

13  ABSTRACT 

Air  Force  Avionics  Laboratory 
Wright-Patterson  AFB,  Ohio  45433 

Despite  the  use  of  integrated  circuits,  military  avionics  equipment  has  increased 
in  cost  and  complexity,  so  that  acceptable  reliability  is  still  a  problem.  As  an 
aid  to  designers  of  avionics  subsystems,  nineteen  rules  for  assuring  reliable 
products  and  avoiding  possible  pitfalls  in  test  and  evaluation  activities  are 
presented:  A 


DP,Frj473  ‘ 


UNCLASSIFIED 

Security  Classification 


/A 


Security  Classification 


AFAL-TR-72-113 


NINErtEJi  RULES  FOR  AVIONICS  DESIGN  ENGINEERS 


Albert  Goldman 


Approved  for  public  release;  distribution  unlimited. 


* 


AFAl-TR-72-113 


FOREWORD 


This  report  was  prepared  by  Sir.  Albert  Goldman,  Staff  Engineer  in 
Technical  Operations,  AFAL/DO.  It.  is  based  on  a  paper  by  Robert  Russer, 
U.S.  Ariry  Redstone  Arsenal,  published  7  Dec  1955;  but  it  has  been  revised, 
modernized,  and  broadened  to  apply  to  avionics.  It  should  be  useful  to 
younger  engineers,  and  should  also  be  a  reminder  to  experienced  engineers. 

Submitted  by  the  author  27  March  1972. 

This  report  has  been  reviewed  and  is  approved. 

♦ 

WARREN  M.  HANSEN 

Chief,  Technical  Operations  Office 


AFAL-TR-72-113 


i 

1 
i 

? 
f 

f 

l 

i 
i 

ABSTRACT  j 

Despite  the  i/se  of  integrated  circuits,  military  avionics  equipment 
has  increased  in  cost  and  complexity,  so  that  acceptable  reliability  is 
still  a  problem.  As  an  aid  to  designers  of  avionics  subsystems, 
nineteen  rules  for  assuring  reliable  products  and  avoiding  possible 
ritfalls  in  test  and  evaluation  activities  are  presented. 


AFAL-TR-72-n  3 


NINETEEN  RULES 

FOR  AVIONICS  DESIGN  ENGINEERS 


Despite  the  use  of  integrated  circuits,  military  electronic  equipment 
has  increased  in  complexity  and  cost,  so  that  acceptable  reliability 
and  serviceability  are  still  among  the  top  problems  of  the  Defense 
Department. 

The  goals  of  reliability  and  low  cost  of  ownership  demand  strict 
attention  to  specifications,  simplicity  in  construction,  and  where  practical, 
testing  to  failure. 

Since  the  overall  reliability  of  a  complex  electronic  system  equals 
not  the  average  but  the  product  of  the  reliabilities  of  its  components, 
if  a  missile  subsystem  contains  100  components  each  having  99%  reliability 
(a  widely  accepted  standard  of  quality),  the  overall  reliability  would 
turn  out  to  be  only  36.5%.  In  a  subsystem  with  1000  components  having 
the  same  99%  reliability,  the  overall  reliability  would  turn  out  to  be 
only  0.005%. 

The  reliability  formula  indicates,  furthermore,  that  in  order  to 
achieve  an  overall  reliability  of  80%  for  a  missile  containing  4000 
components  (which  is  not  unusual)  one  can  tolerate,  on  the  average,  not 
more  than  one  failure  in  18,000. 


1 


AFAL-TR-72-113 


As  an  aid  to  the  designers  of  avionics  subsystems  and  their  components, 
the  following  nineteen  rules  are  offered: 

1.  Reliability  is  a  probability  that  an  item  will  operate  success¬ 
fully  under  service  conditions.  Recognize  clearly  this  mathematical 
implic l^'on;  study  the  basic  concepts  of  statistics  and  probability. 

2.  Avoid  Rube  Goldberg  designs.  Unreliability  goes  up  with  the 
square  of  the  number  of  the  components.  A  very  complex  design  may  never 
become  reliable  and  serviceable.  Simplicity  should  be  the  art,  vocation, 
and  objective  of  every  designer. 

3.  Mistrust  the  concept  of  redundancy  unless  you  include  foolproof 
ways  to  switch  to  the  stand-by  components. 

4.  Mistrust  the  concept  of  Environmental  Testing.  It. teaches  that 
missiles  and  their  components  can  be  debugged  prior  to  flight  by  shaking, 
shocking,  or  pre-aging.  Actually,  bugs  may  not  only  be  tested  out  but 
may  also  be  tested  because  some  components  may  become  fatigued  and 
fail  later. 

5.  Mistrust  flight  testing  as  a  means  of  improving  reliability. 

Since  missiles  are  not  usually  recoverable,  and  telemetry  and  instru¬ 
mentation  are  neither  perfect  nor  complete,  it  is  difficult  to  deter¬ 
mine  the  "ultimate"  cause  of  a  failure. 


2 


AFAL-TR-72-113 


6.  Mistrust  any  specification  unless  you  have  determined  that  it  is 
really  applicable  to  the  specific  subsystem  or  component. 

7.  (let  from  those  responsible  for  the  system  design,  the  actual 
environmental  conditions  to  be  encountered.  Replies  may  be  vague,  but 

A 

insist  upon  an  answer.  If  your  subsystem  should  fail,  you  are  responsible 
and  may  have  to  take  the  blame  for  making  a  guess. 

8.  If  numerical  values  for  environmental  conditions  have  not  yet 
been  determined,  make  a  generous  estimate  and  apply  safety  factors  (of 
about  10);  the  less  the  environmental  condition  is  known,  the  greater 
should  be  the  safety  factor  applied  to  the  estimate.  Once  the  condition 
has  become  known,  say  through  flight  tests,  you  may  find  it  desirable 

to  reduce  the  safety  factor.  This- is  preferable  to  having  to  beef  up 
the  components  at  a  later  stage,  which  is  costly  and  strenuously 
resisted  by  the  system  engineers. 

9.  Never  worry  that  the  reliability  of  your  components  is  too  high. 
Rather,  strive  for  "absolute"  reliability;  that  is,  make  sure  that  the 
probability  of  failure  will  be  not  more  than  one  unit  in  10,000  or,  better, 
one  in  100,000,  under  service  conditions.  Only  then  may  you  be  sure 

that  your  component  will  never  "kill"  an  expensive  missile.  Consider 
every  component  as  a  potential  "killer"  of  a  missile  until  you  have  proof 
that  it  is  highly  reliable.  Mistrust  any  claim  of  "high  quality"  and 
"maximum  reliability"  unless  you  know  that  the  selected  component  can 
stand  the  environment  with  unusually  high  safety  factors. 


3 


AFAL-TR-72-113 


10.  Prove  the  existence  of  these  high  safety  factors  by  testing 

all  component  types  to  failure.  This  will  help  you  to  determine  the  modes 
of  failure;  that  -is,  the  predominant  weaknesses  of  the  component.  By 
feeding  back  such  knowledge  into  design,  you  may  raise  the  reliability 
of  your  components  considerably,  sometimes  by  orders  of  magnitude. 

11.  Do  not  believe  that  the  test  to  failure  method  is  intolerably 
expensive.  It  may  cause  additional  effort  ana  worry  to  you  and  to  the 
test  laboratories,  but  in  the  long  run  it  will  pay  high  dividends  because 
it  is  virtually  the  only  way  to  raise  the  reliability  of  your  component 
up  to  the  required  "absolute"  level  and  to  make  your  subsystem  reliable 
and  serviceable. 

12.  In  planning  a  test-to-failure  program  for  your  component,  black 
box,  or  subsystem,  anticipate  all  c  .iceivable  modes  of  failure,  even  if 
some  may  appear  to  be  remote,  (ha  weapon  system  may  be  a  million  times 
more  expensive  than  your  .cnpo-.ent. 

13.  It  is  not  just  the  environment  of  shock  and  vibration  that  needs 
to  be  considered  in  a  test-to-failure  program.  Many  other  design  criteria 
may  be  hazardous,  such  as  maladjustments,  misalignments,  electrical  and 
mechanical  instabilities,  structural  overloads,  friction,  insufficient 
power  supplies,  and  mechanical  and  electrical  resonances.  Whenever  you 
have  the  slightest  suspicion  that  one  of  these  design  criteria  may 
become  hazardous  to  your  subsystem,  insist  that  it  be  included  in  the 
test-to-failure  program.  Suspicion  is  the  father  of  reliability; 
optimism  and  gullibility  ruin  it. 


4 


AFAL-TR-72-T13 


14.  lb  /ioc  rely  on  test  results  of  just  one  unit.  A  subsequent 
unit  rnight  be  much  weaker,  Test  a  statistically  significant  number  of 
units. 

15.  After  you  have  achieved  the  required  "absolute"  design  reliability 
of  your  component,  make  sure  that  it  is  maintained  in  production  and 
operation.  Follow  your  component  through  all  subsequent  phases  of 
production,  assembly,  inspection,  transportation,  storage,  and  operation. 
You  may  detect  new  unexpected  weaknesses. 

16.  See  that  periodic  tests-to-failure,  on  a  sampling  basis,  are 
performed  as  long  as  your  subsystem  is  being  produced. 

17.  Insist  that  Statistical  Quality  Control  bo  applied  to  your 
subsystem.  However,  make  sure  that  proper  yardsticks  of  reliability- 
are  applied.  Typically,  not  more  than  i  out  of  10,000  units  should 
be  permitted  to  fail. 

18.  Should  your  component  show  a  weakness,  confer  with  the  manu¬ 
facturer.  The  failure  might  have  originated  in  your  own  design  oversight. 

19.  Keep  in  close  contact  with  users.  Your  subsystem  may  have 
high  intrinsic  reliability,  yet  it  may  be  useless  if  this  reliability 
cannot  be  maintained  in  service. 


5 


